Introduction
The purpose of this blog is to cover the recommendations for configuring administrator segregation within the Compliance and Security center.
Compliance & Security Center
The Compliance & Security offers limited RBAC settings but, not an option to create new management roles. The limitations of RBAC within the Compliance & Security prevents any administrator from performing eDiscovery searches within SharePoint \ OneDrive \ mailboxes. OneDrive eDiscovery can be restricted by defining the secondary administrators.
To combat the permission scope limitation, Microsoft released the New-ComplianceSecurityFilter cmdlet. The New-ComplianceSecurityFilter can scope administrators that can perform eDiscovery and legal hold against specific mailboxes, OneDrive for Business sites, and SharePoint sites.
Lab Configuration
This section of the document covers the configuration within the Office 365 tenant.
Mailbox
$DG = Get-DistributionGroup “US-Mailboxes”
New-ComplianceSecurityFilter -FilterName US-Location -Users Corey -Filters “Mailbox_MemberOfGroup -eq ‘$($DG.DistinguishedName)'” -Action Search
OneDrive
$DG = Get-DistributionGroup “US-Mailboxes”
New-ComplianceSecurityFilter -FilterName US-ODFB -Users Corey -Filters "Site_Path 'https://cb5dev-my.sharepoint.com/personal/tim_cb5dev_com'" -Action Search
Test Cases
This section of the document covers the test cases we executed in our lab environment. The results of the test cases directly influenced our recommendations.
Validation Key Color Code
| Test Case Color Code Key | |
| Pass – The expected results were achieved | |
| Fail – The expected results were not achieved | |
Validation
| Test Case – 01: Created Content Search | |||
| Explanation | Perform a content search against all mailboxes for the word test | ||
| Expected Result | Only Tim’s mailbox content will be returned in the search | ||
| Test Actions | Perform a content search against all mailboxes | ||
| Comments from Test | Content search returned the expected results | ||
| Test Results | Test Date | Result | |
| 8/6/2018 | Pass | ||
| Test Case – 02: Other Administrator Content Search | |||
| Explanation | Perform a content search against all mailboxes for the word test | ||
| Expected Result | All mailboxes are returned in the content search | ||
| Test Actions | Perform a content search against all mailboxes using Gerald’s account | ||
| Comments from Test | Corey is able to open the content search created by Gerald, thus see all the mailboxes in the organizations | ||
| Test Results | Test Date | Result | |
| 8/6/2018 | Fail | ||
| Test Case – 03: Created eDiscovery Case | |||
| Explanation | Perform a search within an eDiscovery case against all mailboxes for the word test | ||
| Expected Result | Only Tim’s mailbox content will be returned in the search | ||
| Test Actions | Perform a content search against all mailboxes | ||
| Comments from Test | Content search within the eDiscovery case returned the expected results | ||
| Test Results | Test Date | Result | |
| 8/6/2018 | Pass | ||
| Test Case 004: OneDrive for Business | |||
| Explanation | Perform a search within an eDiscovery case against all SharePoint for the word End | ||
| Expected Result | Only Tim’s OneDrive content will be returned in the search | ||
| Test Actions | Perform a content search against all Sites | ||
| Comments from Test | Content search within the eDiscovery case returned the Tod’s files | ||
| Test Results | Test Date | Result | |
| 8/6/2018 | Fail | ||